84% of US employees have never heard of GDPR

A survey of corporate employees by insider threat management company ObserveIT reveals a greater understanding of privacy laws in the UK than in the US.

Will we see a federal privacy law in the US? At RSA 2019, Dana Simberkoff of AvePoint discussed how companies can reevaluate privacy policies.

Concerns about user privacy have triggered various regulations designed to better protect private data. Enacted by the European Union, the General Data Protection Regulation (GDPR) may be the widest in scope and scale. But other data privacy laws have been introduced, including the California Consumer Privacy Act and Vermont's recent data privacy law

Regulation is all well and good. But how are the requirements of these laws actually trickling down to the average employee at companies that handle customer data? Survey results released on Wednesday by ObserveIT uncover some differences between the UK and the US.

ObserveIT's survey polled 1,000 full-time employees in the US and the UK to gauge their understanding of their organizations' current privacy regulations. Among the respondents, 59% in the US and 59% in the UK said they handle sensitive information every day. Digging deeper, though, the results shine a light on how employees are handling that information.

SEE: EU General Data Protection Regulation (GDPR) policy (Tech Pro Research).

In the US, 53% of respondents said they aren't aware of any federal or state regulations dictating how organizations manage customer data. When asked if they're familiar with any such specific laws, only 16% cited GDPR, 10% pointed to the California Consumer Privacy Act, and just 3% mentioned Vermont's data privacy law. Some 51% admitted that they weren't familiar with any of these three regulations.

In the UK, 83% of respondents said they were aware of data security policies implemented by their companies to ensure the protection of customer data in line with GDPR. Some 65% revealed that they are handling sensitive data differently since the introduction of GDPR. Further, 83% said they know their responsibilities for data protection compliance as an employee since GDPR became law.

On one level, a greater understanding of GDPR in the UK than in the US isn't surprising, as GDPR is a European regulation. However, many companies today operate on a global scale, which means those in the US are still obligated to follow GDPR to protect the data privacy of their European customers.

Training is obviously one critical factor that can help employees better understand and follow data privacy regulations. But this element also uncovered differences between the US and UK. In the US, 46% of respondents said they received ample training from their employers to make sure customer data is protected as dictated by regulations. In the UK, 67% of respondents said they're received such training.

Another question in the survey asked employees what they saw as the most viable way to prevent loss of information in light of data breaches becoming more common. In the US, 43% of the respondents pointed to tech solutions as the answer, leaving 37% percent who cited employee training and 20% who mentioned tighter polices on technology usage. In the UK, only 4% pointed to tech solutions as the best option, while 35% cited employee training and 9% mentioned tighter policies on tech usage. A full 50% of UK respondents said the most viable option was a mix of all three.

"Privacy regulations aren't going away any time soon," ObserveIT CEO Mike McKee said in a press release. "In fact, over the next several years, we'll likely see more regional policies go into effect as consumers demand more transparency around how their information is being used."

Also see

General Data Protection Regulation (GDPR)

Image: iStockphoto/steved_np3